Harden a bit, update some sections, add a README section

Author: ianmcorvidae

.github/workflows/container-build.yaml

@@ -17,7 +17,6 @@ env:
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
-    continue-on-error: true
     permissions:
       contents: read
       packages: write
@@ -32,26 +31,27 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
 
       - name: Login to Container registry
-        uses: docker/login-action@v2
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -67,9 +67,9 @@ jobs:
             suffix=${{ matrix.suffix }}
 
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v6
         with:
-          platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           context: .
           file: ${{ matrix.container }}
           push: ${{ github.event_name != 'pull_request' }}

Containerfile.alpine

@@ -7,18 +7,24 @@ ARG TARGET_ARCH="library"
 
 FROM docker.io/${TARGET_ARCH}/python:${TARGET_VERSION}
 
-WORKDIR /usr/local/app
+WORKDIR /tmp/build
 
-COPY . /usr/local/app
+COPY . /tmp/build
 
 RUN _poetry_venv_dir="$(mktemp -d -p "${TMPDIR:-/tmp}" 'poetry_venv.XXXXXX')" && \
     python -m 'venv' "${_poetry_venv_dir}" && \
-    "${_poetry_venv_dir}/bin/pip" install 'poetry' && \
+    "${_poetry_venv_dir}/bin/pip" install --no-cache-dir 'poetry' && \
     "${_poetry_venv_dir}/bin/poetry" config --local virtualenvs.create false && \
-    "${_poetry_venv_dir}/bin/poetry" install && \
+    "${_poetry_venv_dir}/bin/poetry" install --without dev --extras cli --extras tunnel --no-interaction --no-ansi && \
+    addgroup -S meshtastic && \
+    adduser -S -G meshtastic -h /home/meshtastic meshtastic && \
     rm -f -r "${_poetry_venv_dir}" && \
-    rm -f -r "/usr/local/app"
+    rm -f -r "/tmp/build"
 
 COPY "./bin/container-entrypoint.sh" "/init"
+RUN chmod 0755 /init
+
+WORKDIR /home/meshtastic
+USER meshtastic
 
 ENTRYPOINT [ "/init" ]

Containerfile.debian

@@ -7,18 +7,23 @@ ARG TARGET_ARCH="library"
 
 FROM docker.io/${TARGET_ARCH}/python:${TARGET_VERSION}
 
-WORKDIR /usr/local/app
+WORKDIR /tmp/build
 
-COPY . /usr/local/app
+COPY . /tmp/build
 
 RUN _poetry_venv_dir="$(mktemp -d -p "${TMPDIR:-/tmp}" 'poetry_venv.XXXXXX')" && \
     python -m 'venv' "${_poetry_venv_dir}" && \
-    "${_poetry_venv_dir}/bin/pip" install 'poetry' && \
+    "${_poetry_venv_dir}/bin/pip" install --no-cache-dir 'poetry' && \
     "${_poetry_venv_dir}/bin/poetry" config --local virtualenvs.create false && \
-    "${_poetry_venv_dir}/bin/poetry" install --no-directory && \
+    "${_poetry_venv_dir}/bin/poetry" install --without dev --extras cli --extras tunnel --no-interaction --no-ansi && \
+    useradd --system --create-home --home-dir /home/meshtastic meshtastic && \
     rm -f -r "${_poetry_venv_dir}" && \
-    rm -f -r "/usr/local/app"
+    rm -f -r "/tmp/build"
 
 COPY "./bin/container-entrypoint.sh" "/init"
+RUN chmod 0755 /init
+
+WORKDIR /home/meshtastic
+USER meshtastic
 
 ENTRYPOINT [ "/init" ]

README.md

@@ -27,6 +27,24 @@ This small library (and example application) provides an easy API for sending an
 It also provides access to any of the operations/data available in the device user interface or the Android application.
 Events are delivered using a publish-subscribe model, and you can subscribe to only the message types you are interested in.
 
+## Container usage
+
+Container images are published to GHCR for this repository. The container entrypoint defaults to running `meshtastic`,
+so CLI flags can be passed directly:
+
+```bash
+docker run --rm ghcr.io/meshtastic/python --help
+```
+
+To run another command, pass it explicitly (for example, a shell):
+
+```bash
+docker run --rm -it --entrypoint /bin/sh ghcr.io/meshtastic/python
+```
+
+The container runs as a non-root user by default. When talking to local hardware, pass the serial device through
+explicitly (for example `--device /dev/ttyUSB0:/dev/ttyUSB0`) and ensure host device permissions allow access.
+
 ## Call for Contributors
 
 This library and CLI has gone without a consistent maintainer for a while, and there's many improvements that could be made. We're all volunteers here and help is extremely appreciated, whether in implementing your own needs or helping maintain the library and CLI in general.